Hi (again) SRM, I also have an update for OpenVPN, fixing CVE-2013-2061 (#707329). Please find attached the corresponding debdiff.
Thanks, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55
diff -Nru openvpn-2.2.1/debian/changelog openvpn-2.2.1/debian/changelog --- openvpn-2.2.1/debian/changelog 2012-03-23 09:42:31.000000000 +0000 +++ openvpn-2.2.1/debian/changelog 2013-06-04 09:46:37.000000000 +0000 @@ -1,3 +1,10 @@ +openvpn (2.2.1-8+deb7u1) wheezy; urgency=low + + * Applied upstream patch to fix use of non-constant-time memcmp + in HMAC comparison. CVE-2013-2061. (Closes: #707329) + + -- Alberto Gonzalez Iniesta <[email protected]> Fri, 17 May 2013 11:33:07 +0000 + openvpn (2.2.1-8) unstable; urgency=low * Enable "PIE" and "BINDOW" hardening flags. diff -Nru openvpn-2.2.1/debian/patches/cve-2013-2061.patch openvpn-2.2.1/debian/patches/cve-2013-2061.patch --- openvpn-2.2.1/debian/patches/cve-2013-2061.patch 1970-01-01 00:00:00.000000000 +0000 +++ openvpn-2.2.1/debian/patches/cve-2013-2061.patch 2013-05-17 11:32:50.000000000 +0000 @@ -0,0 +1,64 @@ +Index: openvpn-2.2.1/buffer.h +=================================================================== +--- openvpn-2.2.1.orig/buffer.h 2013-05-17 11:30:23.000000000 +0000 ++++ openvpn-2.2.1/buffer.h 2013-05-17 11:32:44.528455426 +0000 +@@ -620,6 +620,10 @@ + } + } + ++/** ++ * Compare src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match (const struct buffer *src, const void *match, int size) + { +@@ -628,6 +632,10 @@ + return memcmp (BPTR (src), match, size) == 0; + } + ++/** ++ * Compare first size bytes of src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match_head (const struct buffer *src, const void *match, int size) + { +Index: openvpn-2.2.1/crypto.c +=================================================================== +--- openvpn-2.2.1.orig/crypto.c 2011-04-27 09:52:59.000000000 +0000 ++++ openvpn-2.2.1/crypto.c 2013-05-17 11:32:44.528455426 +0000 +@@ -70,6 +70,24 @@ + #define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + ++/** ++ * As memcmp(), but constant-time. ++ * Returns 0 when data is equal, non-zero otherwise. ++ */ ++static int ++memcmp_constant_time (const void *a, const void *b, size_t size) { ++ const uint8_t * a1 = a; ++ const uint8_t * b1 = b; ++ int ret = 0; ++ size_t i; ++ ++ for (i = 0; i < size; i++) { ++ ret |= *a1++ ^ *b1++; ++ } ++ ++ return ret; ++} ++ + void + openvpn_encrypt (struct buffer *buf, struct buffer work, + const struct crypto_options *opt, +@@ -254,7 +272,7 @@ + ASSERT (hmac_len == in_hmac_len); + + /* Compare locally computed HMAC with packet HMAC */ +- if (memcmp (local_hmac, BPTR (buf), hmac_len)) ++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) + CRYPT_ERROR ("packet HMAC authentication failed"); + + ASSERT (buf_advance (buf, hmac_len)); diff -Nru openvpn-2.2.1/debian/patches/series openvpn-2.2.1/debian/patches/series --- openvpn-2.2.1/debian/patches/series 2012-03-16 09:46:03.000000000 +0000 +++ openvpn-2.2.1/debian/patches/series 2013-05-17 11:32:40.000000000 +0000 @@ -9,3 +9,4 @@ accommodate_typo.patch manpage_fixes.patch use-dpkg-buildflags.patch +cve-2013-2061.patch
